Samba service not starting after installing primary DC

[Carbon401]

I've started the script to install a primary DC on a proxmox Rocky9 VM. It's a fresh minimal install - I only selected a static IP and FQDN in the network section. The script finsihed but failed the testing part in the end. I've noticed that samba service is not running and can not be started. I also noticed that there's no current /etc/samba/smb.conf file. Any help debugging this? Thanks

[root@dc ~]# systemctl restart samba
Job for samba.service failed because the control process exited with error code.
See "systemctl status samba.service" and "journalctl -xeu samba.service" for details.
[root@dc ~]# systemctl status samba
× samba.service - Samba AD Daemon
     Loaded: loaded (/usr/lib/systemd/system/samba.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Tue 2024-07-09 10:32:17 EEST; 2s ago
       Docs: man:samba(8)
             man:samba(7)
             man:smb.conf(5)
    Process: 1523 ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS (code=exited, status=1/FAILURE)
   Main PID: 1523 (code=exited, status=1/FAILURE)
        CPU: 37ms

Jul 09 10:32:17 dc.***.lan systemd[1]: Starting Samba AD Daemon...
Jul 09 10:32:17 dc.***.lan systemd[1]: samba.service: Main process exited, code=exited, status=1/FAILURE
Jul 09 10:32:17 dc.***.lan systemd[1]: samba.service: Failed with result 'exit-code'.
Jul 09 10:32:17 dc.***.lan systemd[1]: Failed to start Samba AD Daemon.
[root@dc ~]# ls /etc/samba/
lmhosts  smb.bak.orig  smb.conf.example

[fumatchu]

Sorry you had an issue. I do not have Proxmox loaded right now, but did install it through KVM today with a static IP and it "looks" as though the script was successful, without errors, on Rocky 9.4 A couple of questions for you: Are you referring to the network section in the GUI? Or did you let your server get DHCP, then let the script modify your settings? What is the name of your interface? I had an individual having issues but they were modifying their DNS. When you specified your DNS, I assume you used an external DNS server? 8.8.8.8? Or 208.67.222.222? The script will change your DNS for you to the interface of your primary IP address that it finds for name resolution. Looking at the script it looks like it failed relatively high.. This is telling me that mock was not successful OR domain provisioning failed. And therefore, I am now wondering if you had good connectivity... Let me know your thoughts. Also, what was the name of the domain you specified for provisioning? The script looks at the FQDN and strips the Domain name to create the domain, but you saw that when you were running the initial setup

Initial build

dnf install epel-release createrepo -y crb enable dnf install mock -y dnf download samba --source mock -r rocky-"$MAJOROS"-x8664 --enablerepo=devel --define 'dist .el'"$MAJOROS"''"$MINOROS"'.dc' --with dc "$MOCKSMBVER"src.rpm mkdir /root/.samba cp /var/lib/mock/rocky-"$MAJOROS"-x86_64/result/*.rpm /root/.samba createrepo /root/.samba

dnf config-manager --add-repo /root/samba

dnf -y install --nogpgcheck samba-dc samba-client krb5-workstation samba \ --repofrompath=samba,/root/.samba \ --enablerepo=samba

Move smb.conf file

mv -f /etc/samba/smb.conf /etc/samba/smb.bak.orig

Provision Domain

samba-tool domain provision \ --realm="$DOMAIN" \ --domain="$ADDOMAIN" \ --adminpass="$ADMINPASS"

Copy KDC:

\cp -rf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set DNS resolver

nmcli con mod $INTERFACE ipv4.dns $IP systemctl restart NetworkManager

Initially, the script creates (and looks) for a couple variables.. INTERFACE=$(nmcli | grep "connected to" | cut -c22-) Then another variable: DETECTIP=$(nmcli -f ipv4.method con show $INTERFACE)

Please provide the following: run this command: nmcli | grep "connected to" | cut -c22-

Then you run this command: INTERFACE=$(nmcli | grep "connected to" | cut -c22-) DETECTIP=$(nmcli -f ipv4.method con show $INTERFACE)

echo $DETECTIP Provide the output to this command above (echo $DETECTIP)

[Carbon401]

Hello, thanks for helping me with this. nmcli | grep "connected to" | cut -c22- output is ns18 but the correct interface name is ens18. Probably a better strategy is to use cut -d " " -f4 instead of cut -c22-

The raw output of nmcli | grep "connected to" is ens18: connected to ens18.

[fumatchu]

OK, so that's the issue. I was wondering if that was going to happen. thank you for the input.. let me update this and thank you for the recommendation. I will let you know when this is updated

[fumatchu]

I am running a test to make sure everything is good.. give me about 30 minutes to make sure all is good and I will republish.. Thank you again for your input

[fumatchu]

OK, I updated the scripts.. Things look good.. Please let me know your results, and thank you again for being patient and your suggestion. I greatly appreciate it

[Carbon401]

Again no go. Can't load /etc/samba/smb.conf - run testparm to debug it /etc/samba/smb.conf is missing.

[fumatchu]

Would you have time to get on a Webex with me? I would be interested to see your deployment as it runs If mock is successful, you should have a .samba folder in the root directory.. Can you validate that you have that folder? /root/.samba

if you do, can you then run this command? And provide the output? dnf -y install --nogpgcheck samba-dc samba-client krb5-workstation samba \ --repofrompath=samba,/root/.samba \ --enablerepo=samba

I am now puzzled on why it is failing.. the Interface name is corrected (thanks to you). So that variable will carry through the rest of the deployment. But we're not getting to the point of changing DNS entry in the script to the local IP of the server so that doesn't even play into the issue. When mock builds, it should be creating the rpm samba-dc, samba-common, in the .samba folder of root. This is the RPM that contains the smb.conf file: rpm -ql /root/.samba/samba-common-4.19.4-105.el9_4.dc.noarch.rpm /etc/logrotate.d /etc/logrotate.d/samba /etc/samba /etc/samba/lmhosts /etc/samba/smb.conf /etc/samba/smb.conf.example /etc/sysconfig/samba /run/samba /run/winbindd /usr/lib/sysusers.d/samba.conf /usr/lib/tmpfiles.d/samba.conf /usr/share/man/man5/lmhosts.5.gz /usr/share/man/man5/smb.conf.5.gz /usr/share/man/man5/smbpasswd.5.gz /usr/share/man/man7/samba.7.gz /var/lib/samba /var/lib/samba/lock /var/lib/samba/private /var/log/samba /var/log/samba/old

Can we validate that the local repo exists?

dnf provides samba Last metadata expiration check: 0:00:08 ago on Thu 11 Jul 2024 02:00:43 PM EDT. samba-4.19.4-105.el9_4.x86_64 : Server and Client software to interoperate with Windows machines Repo : baseos Matched from: Provide : samba = 4.19.4-105.el9_4

samba-4.19.4-105.el9_4.dc.x86_64 : Server and Client software to interoperate with Windows machines Repo : @System Matched from: Provide : samba = 4.19.4-105.el9_4.dc

You should get two results.. baseos, and @System (@System being the /root/.samba folder)

Please let me know and thank you for continuing to work with me on this.

[fumatchu]

Just a follow up here.. Thinking more about this. I think the above is working (mock).. Because you have an smb.bak.orig. The script looks for smb.conf and moves it because when you provision the domain, a new smb.conf is created

mv -f /etc/samba/smb.conf /etc/samba/smb.bak.orig

Then we provision the domain: samba-tool domain provision \ --realm="$DOMAIN" \ --domain="$ADDOMAIN" \ --adminpass="$ADMINPASS"

DOMAIN and ADDOMAIN are the following variables that are at the top, using the following:

DOMAIN=$(hostname | sed 's/^[^.:][.:]//' | sed -e 's/(.)/\U\1/') ADDOMAIN=$(hostname | sed 's/^[^.:][.:]//' | cut -d. -f1 | sed -e 's/(.)/\U\1/')

I provide this as a portion of the review before deployment: The installer will deploy Samba AD with the following information: Hostname:${GREEN}$HOSTNAME${TEXTRESET} REALM: ${GREEN}$DOMAIN${TEXTRESET} DOMAIN: ${GREEN}$ADDOMAIN${TEXTRESET} Administrator Password: ${GREEN}$ADMINPASS${TEXTRESET} NTP Client Scope: ${GREEN}$NTPCIDR${TEXTRESET}

I am assuming your names look correct before deployment (REALM and DOMAIN) Do you mind me asking what the domain is that you are trying to provision? I'm just wondering if there is a conflict in nomenclature and what the script is passing is not acceptable to samba-tool

From the Samba website: https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Using_a_Generic_Domain_Name NetBIOS Domain Naming Since NetBIOS has very few possibilities in what domain names are acceptable, there is less you can do to avoid potential naming conflicts. Typically and recommended is, to pick the first part off your domain name for the NetBIOS domain (note: this another name for 'workgroup'). For example if your domain name is "samdom.example.com", you might pick the NetBIOS name "SAMDOM". Whatever you use for your NetBIOS name, ensure it is just one word, no longer than 15 characters and without any punctuation, this includes periods '.' . This appears to be especially important with Windows 10 clients, there have been reports that they cannot join the domain if the NetBIOS domain name contains a period.

How Should I Name My Domain? Before we look at your options, let's look at some desirable features our domain name should have:

The domain name should be globally unique. This ensures that no matter what the computer is configured to use for DNS resolution, the name will either resolve properly or will not return a domain (NXDOMAIN). There should never be a domain name conflict! The domain should be associative to your organization. The domain name should ideally be related to your organization, making it easy to remember. The domain should be in your control. A domain name that you control (by being the registered owner of it) helps to prevent malicious use. Domain name registration is cheap and desirable for any enterprise anyway. The domain name should still be a valid domain name, that way you can get 3rd party SSL certificates for it, if you desire. The FQDN for an Active Directory domain name is limited to 64 bytes, including the dots, an Active directory server name example : s4ad01.office.example.tld Whatever domain name you use, it should not be resolvable from the internet, it is not a good idea to have any AD domain computer connected directly to the internet.

In your original post, I saw that you had dc.*****.lan (assuming the asterisk were to hide the name) You may want to try to provision the domain manually to see if there is a conflict. that being said I should probably add a checker there, to validate that samba-tool was OK with the name

[fumatchu]

One more thought.. the AD password: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Administrator password | --adminpass | Sets the domain administrator password. If the password does not match the complexity requirements, the provisioning fails. For details, see Microsoft TechNet: Passwords must meet complexity requirements. -- | -- | -- Administrator password --adminpass Sets the domain administrator password. If the password does not match the complexity requirements, the provisioning fails. For details, see [Microsoft TechNet: Passwords must meet complexity requirements](https://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx).

[Carbon401]

Thanks. It was the password complexity. Now it works. But maybe you should check the exit code and show the error so there's no guessing involved. It's a good idea to have exit code checks on every step. Maybe use something like

check_exit_code() {
    if [[ ${1} -ne 0 ]]; then
        log "Error #${1}. ${2} Exiting..."
        exit ${1}
    fi
}

samba-tool domain provision
--realm="$DOMAIN"
--domain="$ADDOMAIN"
--adminpass="$ADMINPASS"
check_exit_code $? "samba-tool provisioning failed."

# another critical command
check_exit_code $? "another critical command failed."

# another critical command
check_exit_code $? "another critical command failed."

# and so on

Also as a suggestion maybe it will be a good addition if you include this plugin with the cockpit installation: https://wiki.samba.org/index.php/GSOC_cockpit_samba_ad_dc

Again thanks for you work.

EDIT: Is there a way to setup a DNS forwarding in this setup so all non-resolved queries are forwarded to another DNS?

[fumatchu]

Thank you for your input. I will admit that I am learning as I have created this project. I do really appreciate all your input and suggestions and being patient as we worked through the challenges. I have also learned from this experience and I greatly appreciate it, to make the script better, which I will continue to mature.
To answer your question, the script uses the Internal Samba DNS resolver. As far as I know, to this point, it only has one forwarder and that is to send everything to the upstream (DNS) forwarder that is in the smb.conf file. There is the concept of the bind9_DLZ that is supported by Samba, that will allow you to do what you are asking.

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End

This is actually on my concept "todo list" and is something I would like to implement in the next 6 months. Currently, for work, I am working on a couple projects and hope to come back to this one in the fall. I have no intention of leaving this one "as-is".

Again, I am grateful for your patience and your suggestions. Thank you, again!